mrblack | 2cf26b87030f07a237b9a714bf4f0fb0cc0a20d88a39f2ffba8e516ff6763dd9

Analysis

max time kernel
8s
max time network
151s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231222-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f55b3b99e0b783b60e27202f1c839ab1
Size

1.5MB
MD5

f55b3b99e0b783b60e27202f1c839ab1
SHA1

62a9eea529000e27e7524c1a87ee6379fa090d6d
SHA256

2cf26b87030f07a237b9a714bf4f0fb0cc0a20d88a39f2ffba8e516ff6763dd9
SHA512

6fb80e752eac21961c00accce0239cd720f11b7fca776ec068625314594c868bd3fd126a197560a176f1906b2b5e8dbb4a720a44badfb5747b36e1870be5aaf9
SSDEEP

24576:GA46TrzJBisiOvhlOHdSbQmHyJgf/kgX0Exb2cyaGpIoiM1nnLmYXqSYKKZdTrnD:zRNi6OHdSbQoyJyXpxb2PaGpXiM1nLmB

Score

10^/10

mrblack botnet persistence trojan

Malware Config

Signatures

MrBlack Trojan
IoT botnet which infects routers to be used for DDoS attacks.
trojan botnet mrblack

MrBlack trojan 1 IoCs

Processes:

resource	yara_rule
/usr/bin/bsd-port/agent	family_mrblack

Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/DbSecurityMdt

description	ioc
File opened for modification	/etc/init.d/DbSecurityMdt

Write file to user bin folder 1 TTPs 3 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/bsd-port/agent.lock
File opened for modification	/usr/bin/bsd-port/udevd.lock
File opened for modification	/usr/bin/bsd-port/agent	cp

Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.

Processes:

mkdircp

description ioc process

File opened for reading /proc/filesystems mkdir
File opened for reading /proc/filesystems cp
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/moni.note
File opened for modification /tmp/bill.note
File opened for modification /tmp/gates.note

description	ioc	process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp

description	ioc
File opened for modification	/tmp/moni.note
File opened for modification	/tmp/bill.note
File opened for modification	/tmp/gates.note

/tmp/f55b3b99e0b783b60e27202f1c839ab1
/tmp/f55b3b99e0b783b60e27202f1c839ab1
1⤵
PID:1613

/bin/sh
sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt"
1⤵
PID:1619
- /bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt
  2⤵
  PID:1620

/bin/sh
sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt"
1⤵
PID:1621
- /bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt
  2⤵
  PID:1622

/bin/sh
sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt"
1⤵
PID:1623
- /bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt
  2⤵
  PID:1624

/bin/sh
sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt"
1⤵
PID:1625
- /bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt
  2⤵
  PID:1626

/bin/sh
sh -c "ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt"
1⤵
PID:1627
- /bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt
  2⤵
  PID:1628

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1629
- /bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:1630

/bin/sh
sh -c "cp -f /tmp/f55b3b99e0b783b60e27202f1c839ab1 /usr/bin/bsd-port/agent"
1⤵
PID:1631
- /bin/cp
  cp -f /tmp/f55b3b99e0b783b60e27202f1c839ab1 /usr/bin/bsd-port/agent
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/usr/bin/bsd-port/agent

Filesize
324KB

MD5
d75c416c4eb55c6bb56ed599f7f6ab7d

SHA1
3fc97ae9e7fd70ff0fa795983e26bffe4fe9cfd8

SHA256
1e75cfd873a3405b1e26cd454032ccb9cd837664e70df950e07be99bfb1f15ce

SHA512
6f9674dd080a77c0e384e509f18119bb56b5d051b97f99aa99d47394423c9aa502a3f530d298363e6f6e721463b3a2640bf5693fdf1cd4762e736321e9d59104

Download Submit